FireEye discovers iOS Masque Attack, Apple downplays threat

Computer security experts are warning Apple customers over a new bug that affects iOS devices such as the iPhone and iPad. This post is a continuation of a release last week about safety on your Apple devices.

The US Computer Emergency Readiness Team (US-CERT) said on Thursday that users of such devices running on the latest version of iOS should be careful about what they click on. The team also advised users not to install apps from anywhere other than their own organization or Apple’s official App Store. The CERT further warned against opening an app if an alert says “Untrusted App Developer,” saying the user should instead click on “Don’t Trust” before immediately deleting it.

The exploit, dubbed “Masque Attack,” was reportedly discovered in July 2014 by FireEye and reported to Apple on the 26th of the same month (security researcher Stefan Esser of SektionEins may have discovered the same or a closely related exploit last year which he presented to the SyScan 2013 conference.

In a blog post on Monday the company said it believes new versions of iOS are still vulnerable though and can be exploited via a masque-based attack campaign they have dubbed “WireLurker.”

WireLurker is the first malware capable of spreading from an infected Mac OS X system to a non-jailbroken iOS device and has reportedly been downloaded over 350,000 times already.

US-CERT explained how Masque Attack works:

“This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.”

The computer emergency team went on to say that an app installed in this manner could copy the user interface of the original app, thereby tricking the user into entering their username and password. It could also steal personal and other sensitive information from local data caches as well as perform background monitoring of the device. Lastly, it could snaffle root privileges to any iOS device it was installed on, all because it was indistinguishable from a real app.

With FireEye saying it has confirmed this type of attack, including the uploading of data to a remote server, you would think that Apple would have moved to patch the bug, especially given how the security company has had little time to look into other potential related attacks that may yet surface.

That is not the case though as Apple says no-one has actually been affected by the vulnerability thus far, an assertion that flies in the face of a blog posting from Kaspersky Lab which suggests that WireLurker has claimed victims, albeit a small number.

If you would like to learn more about how the iOS Masque attack works, FireEye has uploaded a demonstration video: